From 17f2188756d27d1b2f0eff5495e983a3c95c55cc Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 31 May 2021 15:21:46 +0200 Subject: [PATCH] forecast: Ignore per-CPU CHILD_SAs Not sure if this combination does make sense as the plugin itself would be a major bottleneck. Similar to the connmark plugin, PREROUTING rules list SPIs or UDP ports, which would be necessary for all SAs while the OUTPUT rules would only be required once. --- src/libcharon/plugins/forecast/forecast_listener.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c index 4983835f19..3d000bc48c 100644 --- a/src/libcharon/plugins/forecast/forecast_listener.c +++ b/src/libcharon/plugins/forecast/forecast_listener.c @@ -500,7 +500,8 @@ static bool commit_handle(struct iptc_handle *ipth) static bool handle_sa(child_sa_t *child_sa) { return child_sa->get_mark(child_sa, TRUE).value && - child_sa->get_mark(child_sa, FALSE).value; + child_sa->get_mark(child_sa, FALSE).value && + !child_sa->use_per_cpu(child_sa); } METHOD(listener_t, child_updown, bool, -- 2.47.3